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[57] ABSTRACT 

Control of network surveillance in communications net- 
works is accomplished by dividing the surveillance task into 
two sub -tasks. The first sub -task automatically identifies 
communications within the network which are to be moni- 
tored. Such identification is accomplished by the application 
of a reasoning system to data received firom the network. The 
identification of the data to be monitored is received by the 
second sub-task along with network topology information. 
The second sub-task also appUes a reasoning system to this 
data in order to configure probes and switches within the 
network so that the identified data can be captured. 

27 Claims, 5 Drawing Sheets 
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METHOD AND APPARATUS FOR 
SURVEn.LANCE IN COMMUNICATIONS 
NETWORKS 

BACKGROUND OF THE INVENTION 

1. Field of the lovention 

The present invention is directed to a method and appa- 
ratus for providing surveillance capabilities in a communi- 
cations network, where the surveillance decisions are made 
automatically by an analysis of data traversing the network. 

2. Description of Related Art 

There is a large amount of traffic flowing through today's 
computer networks, and not all of this traffic is benign. Thus, 
the owner or supervisor of the network may need to "listen 
in on" network communications in order to effectively 
monitor and secure the network. Such monitoring or sur- 
veillance can be achieved by connecting a probe to the 
network in order to monitor data traveling between two or 
more nodes (e.g., user workstations) on the network. 

Currently, the task of surveillance is "knowledge- 
intensive," in that human operators generally decide when it 
is advisable to survey, whom to survey, how long to survey, 
what kind of information to look for, and how to survey (i.e., 
where to place the network probes). Thus the surveillance 
task, as currently known, requires considerable intervention 
on the part of a human operator. 

In a system where communications between two nodes is 
in a form of discrete packets, the network probe can "read"*' 
a packet of data in order to discover inforaiation such as the 
source and destination addressees of the packet, or the 
protocol of the packet. In addition, over time, measurements 
can be computed such as the average or total amount of 
traffic of a certain protocol type during a specific week, or a 
total number of packets sent to or from a node. This 
information may then be reported to a system administrator 
in real-time, or may be stored for later analysis. 

Qearvicw Network Window, a software program avail- 
able from Clear Communications Corporation, of 
Lincolnshire, 111., U.S. A, allegedly provides predictive/ 
proactive maintenance, intelligent root-cause analysis, and 
proof-of -quality reports. However, the output is designed for 
network fault management, which is not the same as "tap- 
ping" into a communication between nodes in the network. 
Thus, the Clearview system does not allow monitoring of 
data transferred between two nodes in the network with 
regard to content or characteristics. 

Livermore National Laboratory, Livermore, Cali., U.S. A, 
developed a group of computer programs to protect the U.S. 
Department of Energy's computers by "sniffing" data pack- 
ets that travel across a local area network. The United States 
Navy used one of these programs, known as the "iWatch" 
program, in order to wiretap on communications of a sus- 
pected computer hacker who had been breaking into com- 
puter systems at the U.S. Department of Defense and NASA. 
The iWatch program uses a network probe to read all packets 
that travel over a network and then "stores" this information 
in a common data repository. A simple computer program 
can then be written to read through the stored data, and to 
display only "interesting" information. What may be "inter- 
esting'* is determined by the individual preparing the pro- 
gram and is defined in different ways, e.g., "login names that 
do not belong to the following: {X, Y, Z . . . }." Whenever 
an interesting piece of information is found within the stored 
data, the stored data is rescanned and a specific number of 
characters on both sides of the "interesting" piece are 
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reported. These interesting characters are then reviewed in 
order to determine the content of the message and as a guide 
to future monitoring activity. 
While the iWatch program appears to have been success- 

5 ful in catching at least one computer hacker, it has several 
limitations. Specifically, the decision to perfonm a surveil- 
lance session on a particular communication node was 
performed by an individual. This requires that knowledge be 
conveyed to the individual and that individual make a 

10 judgment to proceed with the surveillance. Once the deci- 
sion to perform the surveillance is started, then all of the data 
which flows through the node is collected. In other words, 
the data collection step is not selective. All of the data is 
collected and stored in a large database for later analysis. 

15 Thus, the iWatch method is limited by the size of the 
database used. In order to provide the most flexibility, large 
storage units must be set aside, increasing the cost and 
complexity of the iWatch system. Further, the analysis of the 
collected data is not performed in real-time. Rather, the 

2^0 software program reads through the stored data in order to 
determine what is "interesting." Thus, there is a lag between 
the time that the data is collected, and the analysis to 
determine if there are communications which should be 
monitored. This can be a disadvantage since, many times, in 

25 order to catch a skilled computer hacker, it is necessary to 
react immediately to the hacker's presence. Finally, once the 
"interesting" data has been identified in the iWatch system, 
once again, an individual operator must make the determi- 
nation as to where the network probe will be placed in the 

30 network in order to "tap" the desired communications. The 
requirements of human intervention are thus key steps in the 
iWatch surveillance system which reduces its efficiency and 
usefulness. 

35 SUMMARY OF THE INVENTION 

According to the present invention, a method' and appa- 
ratus are provided for automatically and intelligently deter- 
mining when and how to monitor network activity for 
surveillance purposes. 

In a specific embodiment, the system utilizes two reason- 
ing agents which in combination carry out the surveillance 
task. The inputs and outputs of these agents are defined, but 
there are several ways to construct the agents depending on 
the reasoning model or paradigm selected. 

In one embodiment, a first reasoning agent receives 
accounting data from the network which includes a list of 
communications data sent over the network for a specified 
time period. 

50 The list may include an identification of both the source 
and destination of the data, and may further identify the 
protocol used and volume of data sent. 

The output of the first reasoning agent (which is provided 
as an input to the second reasoning agent) may include: 

55 whom-to-survey, when-to-survey, and a levcl-of- 
surveillance. For example, whom-to-survey may be 
expressed as communications either: a) sent from a given 
source; b) delivered to a given destination; or c) sent 
between a given source and destination. When-to-survey 

60 may be expressed as a time interval, Level-of-surveillance 
may take the form of: volume (data units in/out); protocol; 
and/or content. 

Additional inputs to the second reasoning agent include 
the network topology and locations of network probes. The 

65 goal of the second reasoning agent is to determine which 
network probes to activate and the instructions needed to set 
parameters on these network probes in order to monitor, 
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filter and provide the communications of interest (as deter- of the network and to monitor other network functions, 

mined by the output of the first reasoning agent). Spectrum®, a network management system available from 

By separating the tasks performed by the first and second Cabletron Systems, Inc., polls the network 100 on a regular 

reasoning agents, and constructing each agent to enhance the order to determine the status of the switches 102 and 

separate tasks, a more efficient method of surveiUancc is S other network devices 104 aiid m^ntains mformation about 

achieved topology of the network and about the operations of the 

network devices 

For example, in a preferred embodiment, a rule-based A processing unit or CPU 108 is connected to the network 

rcasonmg system is used for the first reasoning agent, and a management system 106 to receive information regarding 

constraint-based reasonmg system is used for the second the operaUon of the network 100. A memory 110 and storage 

reasonmg agent, as descnbed in greater detail below. device 112 are connected to the processor 108 to provide 

Surveillance decisions are thus made automatically rather temporary and permanent storage, respectively, of informa- 

than having decisions made by individuals, and the appro- lion required by the processor 108. In one embodiment, 

priately programmed tasks analyze the data and implement processor 108 may be running VLAN Manager software 

the surveillance. Specifically, the decision points of: 1) available from Cabletron Systems, Inc., which enables "vir- 

whether and whom to tap; 2) what level of tapping; 3) where U^s to be established between different groups of 

to activate probes in the network; and 4) an interpretation of ^^ers and/or appHcations. A display unit 114 is connected to 

what is heard, can all be automatically accomplished. processor 108 so as to display, generally in graphic form, 

^ .„ ^ . . . , a representation of the network including its topology and 

Tlie su^eillance system of the present mvention can be fi,ncUons. Through either keyboard and/or mouse input 
configured to act as either an advisor to a network admm- 20 devices U6a, 1166, connected to the processor 108, and 
istrator or configured to work in a fully -automated mode in through the interface program of VLAN Manager, a user can 
which decisions are made and necessary actions taken perform various analyses of the network, control the con- 
without operator intervention. figuration of the network, e.g., adding or deleting nodes 

The method and apparatus may be implemented in either and/or switches as the network changes, and monitor data 

a router-based or switch-based to network, or in a hybrid is transmissions, as discussed below in more detail, 

router/switch-based network. The VLAN Manager is run on a processor capable of 

These and other features and benefits of the present supporting at least one ofWindows NT 3.51, Solaris 2.4 and 

invention will be set forth in the following detailed descrip- ^ ^ ^^ 10.01 and 10.10, AIX 4.0 and IRIX 5.3 

tion and drawings which are given by way of example only oP^^^fing systems. Any one of a number of commercial or 

and are in no way restrictive. 30 propnetaiy processors may be used. Generally the CPU 

platform 108 requires a minimum of sixty-four Megabytes 

BRIEF DESCRIPTION OF THE FIGURES KAM, 100 Megabytes of swap space and 150 Megabytes 

of available disk drive space. 

FIG. 1 is a schematic diagram of a network and system If a user wishes to monitor data or communications 

incorporating the present invention; 35 between, for example, a source node 104^ and a destination 

FIG. 2 is a flowchart representing an overview of opera- node 104^, in the switched network (see FIG. 1), the user 

tions performed in the present invention; may connect a data analyzer or probe 118 to the network to 

HG. 3 is a block diagram representation of one embodi- review the "tapped" data. As disclosed in commonly 

ment of the present invention; assigned and co-pending U.S. patent application Ser. No. 

TTTr^ A • a u , \. ' ,u 4. ^ J • *u 40 08/790,473, entitled "Method and Apparatus to Establish a 

FIG. 4 IS a flowchart showing the steps performed in the ™ n • . t o % i. j kt * i t t ■ o ir ^ 

. J . . J Tap-Point In a Switched Network Usmg Self-Configunne 

identification reasoning agent; and c % u ti • r^- * -u * ^ n T- o u ?.- « 

* ^ Switches Having Distnbuted Configuration Capabilities, 

FIG. 5 is a flowchart representing the steps performed in ^y Yanacek et al, issued Aug. 19, 1999 U.S. Pat. No. 

the probe control reasoning agent. 5,940.376 (hereinafter "Yanacek") which is herein incorpo- 

DETAILED DESCRIPTION J',^^ reference in its entirety a user can plug the probe 

118 into any switch 102 in the network to which the user has 

A first embodiment of the invention will be described for convenient access. Alternatively, a tap-point can be estab- 
use in a switch-based network. A switch-based network lished as disclosed in commonly assigned U.S. patent appli- 
includes a plurality of devices, such as workstations, cation Ser. No. 08/370,158 entitled "Use of Multipoint 
printers, storage devices, servers, etc., connected to one 50 Connection Services to Establish Call-Tapping Points in a 
another through a plurality of switches. The switches are Switched Network," by Dev et al., (hereinafter "Dev") 
configured so as to direct a message, usually in the form of which issued as U.S. Pat. No. 5,627,819 on May 6, 1997. 
a data packet, from a source to a destination. For example, which is also hereby incorporated by reference in its entirety, 
in the MMAC-Plus® system available from Cabletron In either approach, a probe or tap-point can be estabflshed 
Systems, Inc., Rochester, N.H., U.S.A., the switches may 55 which either receives specific transmissions within the net- 
reside in a common chassis or be distributed amongst more work or is configured to receive all data transmitted by the 
than one chassis. Although a switch-based network is network. 

described, one of ordinary skill in the art wiU understand that The probe 118 includes a memory 120 and a storage 

the present invention can be applied in other types of device 122. In the systems referenced above, the probe 118 

networks. 60 may be considered just another device in the switched 

As shown schematically in FIG. 1, a switched network network, similar to the workstations, printers, storage 

100 includes a plurality of switches 102 connected to one devices, servers, etc. In addition, there may be multiple 

another, and a plurality of end nodes 104 each connected to probes connected to the switch and/or at other points in the 

one or more of the switches 102. Data between any two end network. As shown, the probe 118 communicates with the 

nodes 104 is sent through at least one switch 102. A network 65 CPU 108 over interface 119. 

management system 106 includes a topology service, As an overview of the operation of the present invention, 

coupled to the network 100 so as to determine the topology a flowchart as shown in FIG. 2 wiU be referenced. In step 
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200, accounting data (AD) is received by the processor 108. order to identify network traffic or data which merits further 

The accounting data consists of a list of comtnunications attention. The IR parameters 306 include, but are not limited 

over the network for some specified time period. The list to, particular user names, logical source or destination 

may consist of source/destination pairs or may consist of addresses, physical source or destination addresses, traffic 

further information such as the communications protocol 5 volume thresholds which when exceeded may cause further 

used and volume of communications for each pair. As the iLualysis, communications from or to particular nodes in the 

accounting data is received, in step 202, the data is analyzed. network, communications between particular nodes (the 

T ^. . . -ift^ .1. . . classic "wire-tap"), and communications routed through a 

In the present invention, at step 204, traffic on the network ^^j^^^^ ^^^^ ^^^^^^ ^^1^ ^^^^ 

which mentsforther attention IS identified. This identifica- being represented in the preferred embodiment, the 
tion IS accomplished automatically and in real-time by the W ^^^^^ ^^^^^.^^^ ^^^^ ^ applicable to monitoring 

application of reasoning paradigms, e g., rule-based ^^j^ communication from/to particular sources or destina- 

reasonmg, case-based reasoning, constraint based reasomng ^^^^ ^„ ^^^^ ^^ ^^^j^j^ ^^^^ destination 

fuzzy logic or neural net analysis Additional discussion of ^^^^^ ^-^^ ^^^^^^^ ^ ^^^^ ^ ^^^^ 

these and other reasoning paradigm s can be found in destination address. TTie accounting data 304 may 

AmficiairmelUgence:A ModemAp^^^ include, but once again is not limited to, communications 

and Peter Norvig, Prentice Hall, N.J., 1995. By apphcation ^^^^ j^e network for a specified time period. TTiis informa- 

of any one or more of these reasomng approaches, any traffic ^-^^ ^^^^^^ source/destination pairs or may consist 

on the network which is suspe« or which requires further ^^^^^^^ information such as communications protocol and 

analysis is automatically identified. The parameters which ^^y^^^ 

communications for each pair. 

define suspect traffic or transmissions withm the network ^ ^^^.^^ ^ 

are set withm the reasonmg system, as discussed below in j-*- juiu i .a 

more detail database and is triggered by lo abnormal events. As an 

example, the IR agent 300 might simply look at all "spikes'* 

Once network traffic or data to be tapped or monitored is g^^den increases in a parameter and review the sources 
identified m step 204, the network probe or probes, and/or ^nd destinations of the message units that caused the spike, 
network switch or switches, are configured in order to ^ further example, when all traffic data for a particular 
collect the data identified m step 206. The identification of period of Ume has been downloaded to an accounting 
the probes and/or switches to be used and/or configured is database, for example, the IR agent 300 might be pro- 
determined from an analysis of the topology of the network grammed to look for instances of links with exceedingly 
in combination with the system being used for setting up a high volume. Those links that exceed a predetermined 
tap which, as above, can be either the Liessner or Dev threshold would then be chosen for further investigation, 
systems referenced above. The determination as to how to ^-^^ parameters 306 to the 
configure the probe and/or switches is also based upon an .^^unting data 304 in order to provide a three part output, 
application of reasomng approaches which were d^ussed ^ ^^^^^.^^ ^ata 307 includes information regarding: 1) 
with regard to step 204. Of course, the criteria for deter- ^^o to survey; 2) when to survey; and 3) a level of 
mimng which switches and probes to use m order to tap mto ^^^eillance. The indication of who to survey could include, 
a given connection in the switched network differs from ^ ^^-^^^ communications delivered from a 
tho^ used m establishing the cntena for identifying the ^ communications dehvered to a given 
traflic to be monitored m step 204. Once the probe _and destination, or all communications between a eiven source 
switohes have been configured, m step 208 the identified destination. Tlie level of surveillance may indicate 
traffic is "tapped and stored for analysis. In this manner, the collection of, for example, the volume of communication, 
occurrence of network traffic which merits frirther attention .^^d in data units in or out; the protocol being used by 
can be amomaticallyidenufied without the intervention of particular message; and/or the contents of the 
an operator and thus accomplished in real-tune. communication, i.e., the message. 

As used in this specification, "real-time" is a matter of ^he PGR agent 302 receives the who, when and level 
degree and not a true/false absolute. Real-time in the short information from the IR agent 300. The PGR agent 302 also 
term mvolves reasonmg about those tasks that require close receives probe control reasoning parameters 308 and net- 
to instantaneous action, with minimal time to think about ^^^^ topology information 310. The PGR agent 302 auto- 
options, plans, strategies, etc. Real-time in the long term matically apphes the network topology information and the 
involves reasoning about tasks for which there is time to reasoning parameters in order to determine probe control 
think about options, plans, etc., i.e., tasks for which action ^^tp^t information 312 to configure the probes and switches 
is not urgent. order to carry out the monitoring of data as per the output 

Within the processing unit 108, the functions as disclosed from the IR agent 300. 
in steps 202 and 204 are accomplished within an Identifi- xhe probe control output information 312 coming from 
cation Reasoning (IR) agent 300 as shown in FIG. 3. The IR 55 the PGR agent 302 is in a form such that the network 
agent 300 can be implemented as a software program management system 106 is able to configure the switches so 
operating within the processing unit 108. The operation of as to accomplish the tap. Accordingly, the PGR agent 302 
configuring network probes and/or network switches in would include information regarding, for example, either the 
order to tap identified traffic as per step 206 is performed Liessner method and apparatus, or the Dev multipoint con- 
within a Probe GonU-ol Reasoning (PGR) agent 302, which nection service, so that commands can be executed. The 
is coupled to the IR agent 300. Similar to the IR agent 300, pcR agent 302 stores the format structures for a multitude 
the PGR agent 302 is a software program which operates on of different networks and/or switching protocols. The net- 
the output from the IR agent 300. ^^^^ topology information 310 would then include an 

As shown in FIG. 3, the IR agent 300 receives accounting indication as to the type of network so that the PGR agent 
data 304 as an input along with information reasoning (IR) 65 302 could format its probe control information 312 accord- 
parameters 306. The IR parameters 306 are determined by ingly. Further, a universal standard could be estabhshed 
an operator and are the criteria used by the IR agent 300 in whereby the probe control information 312 is in a standard 
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format which is not specific to any particular vendor's A goal of constraint-based reasoning is to satisfy as many 

network management platform. Any network management of the constraints as possible. As an example, the level of 

platform which conforms to the standard would receive this surveillance might have to be down-graded from actual 

standardized probe control information and translate it so content to data units in/out in order to satisfy all the other 

that the tapping connections could be estabUshed. In this s constraints. Alternatively, the who of surveillance might 

manner, as new network management platforms become h^ve to be down-graded from source and destination to only 

available, the PGR agent need not be updated since its output source. In general, there will be several ways to satisfy 

is of a form that any new network management platform some, but not all, of the constraints. 

(which complies with the standard) can understand. As an example, one of the controls in the case-based 

Operations within the IR agent 300 will now be discussed ao reasoning system rnay require that given a choice between 

in more detail with regard to the flowchart shown in FIG. 4. down-grading the level of surveillance or who to survey, 

In step 400, the reasoning parameters are programmed into always down grade the who to survey, setting. It should be 

the IR agent 300. In a preferred embodiment, a rule-based rioted that the who to survey, when to survey and level of 

reasoning system has been used in the IR agent 300. surveillance are sofl-constramts." The placement of probes, 

T , AM 4U *■ J * J -u J u • -.c however, is typically a "hard-constrainf* and the network 

In step 402, the accountmg data, as described above, is 35 ' . -^^^ 

• j u *u in * ann tt. / topology IS an even harder constramt. 

received by the IR agent 300. The reasoning parameters, ^ ^-^ 

according to the rule-based reasoning system, are applied to 0"*?^^,^ constramt parameters of the PGR agent 302 are 

the received accounting data in step 404. In step 406, the fl'^lif'^^^^f "et^o'^^J^Pology ^ata is received in step 

who, when and level results, which are the results of the ^02. The PGR agent 302 is constantly updated with the 

application of the reasoning parameters to the accounting 20 ^^^twork topology data so that its perception of the network 

data, are output. As long as accounting data is received in ^ accurate. As is known, the topology of a network is 

step 402, steps 404 and 406 are executed. Of course, if ^y^^^?^^ ^^^.'^^y f^^ange over time. The PGR agent 302 

necessary, step 400 can be executed when the rules of the "^^^^ ^^^^ mformation about the topology of the network in 

rule-based reasoning system need to be changed or updated. "^^^^^ "^^^^ P^^P^^ connections when attempting to tap 

ATUj 4 u into communications in the network. In step 504, the who, 

A rule-based reasoning system was chosen for the mfor- ^5 ij. - ,r , ,r. ^.r^^ ^ 

.•.,•1.1 > , J when and level data arc received from the I R aeent 300. The 

mation reasonmg agent since it is relatively easier to under- . • * u j i » x li^^im a^vui ^v^. xuv 

* J *u u J • 1 ■ 1 4 constramt-based reasomne algorithms are applied to the 

stand than case-based reasoning, fuzzy logic, neural net- . . . i j . .i j • i^p^i^vi 

1 *u • J- TT. Tt- J network topology data and the data received from the IR 

works or other reasonmg paradigms. Further, and more , , cnr ^ . . ^ Tu t^t. X«i 

^ ,1 ,1 •* • r .1 u agent 300 in step 506. The output from the PGR agent 302, 

importantly, since the monitoring of a network can be . , .11.-,^^.. ■ . . . 

■ J- Tt- * . • 1 . in I.e., the probe control data 312, is determmed and output m 

expensive, a reasomng paradigm that operates m close to 30 ^ * ^-^^ ^ u^iwuim^.u auu uui^jui 

real-time and uses minimal CPU cycles is desirable. A . 

one-ply rule-based system satisfies this requirement since it . ^his probe control data is used to control the configura- 

functions in a manner similar to a look-up table. There are, ^^^^^^^ ^^^^^^ so that the desired 

however, disadvantages associated with a rule-based system data can be monitored. Control then returns to step 502, the 

since it cannot learn and evolve as the usage of the network 35 receipt of the network topology data, and steps 504, 506, 508 

evolves. This represents a trade-ofiF between thoroughness repeated. The network topology data is constantly 

and speed. Certainly, depending upon the resources avail- received so that existmg taps are mamtaincd in the event that 

able and desired thoroughness of analysis, other reasoning topology of the network changes. In other words, if there 

systems can be used rather than a rule-based system. ^ ^ ^*^^°se to the topology which disrupts the tapping of 

The rules which determine how to identify network ParticuUr network communications, the PGR agem 

communications which are to be monitored are established ^ the topology change so as to maintain the tapping 

in the IR agent 300. Merely as examples as to how the rules the data. This may involve rerouting communications to 

may function, the following scenarios are provided: ^ P[°^^' ^"^S ^. P^°*^^' °f ^T""'"^- '^u ' ''^i ^'"^ 

e • 1 .u . 1 ■ • • . J 11 no longer be mamtamed because of a change m the topology 

Scenano 1: the network m question is propnetary and all . .u^t„r,'t«K* . ^ f aj 

- . J . J lV. J . . . 45 ot the switching system, 

of the users and agents send short and to-the-pomt messages. ™ ^ . , ^a/* -^n-, ■ 

D I ^ i f 1 * • *u V u * Th^ two reasoning agents 300, 302 in combination carry 

Rule for scenario 1: if any packet is more than X bytes « „ -n f 1 tt. • \ j *l * * r 

, ,u .u f *u 1 . • . out the surveillance task. The inputs and the outputs of these 

long, then the source of the packet is suspect. u u a . • j u * r j- 1 • 

^ . „ , , . , ^ , , agents have been determined, but one of ordinary skill in the 

Scenano 2: the network is propnetary, and agents always ^rt can see that there are several ways to constnict the 

send messages of protocol type Y. reasoning agents depending on the reasoning paradigm 

Rule for scenano 2: if any packet is not of type Y, then the utilized. Thus, for a prefened embodiment, a rule-based 

source and destination of the packet are suspects. reasoning system was selected for the IR agent 300 and a 

Scenario 3: the network is proprietary and it is known that constraint-based reasoning system was chosen for the PGR 

server S should never receive any messages, in other words, agent 302, however, it is clear that different reasoning 

there should be no attempts to log onto this server S. 55 systems may be chosen, respectively, for the agents. 

Rule for scenario 3: if any packets have a destination S, Although the present embodiment is disclosed within the 
then the source of the packet is suspect . operadon of a switch-based network, it is clear that the 
The PGR agent 302 is programmed with the reasoning invention also applies to router-based networks and hybrid 
parameters in step 500 as shown in FIG. 5. A constraint- router/switch-based networks. Further, as is known, many 
based reasoning system has been chosen in the preferred 60 kinds of network probes are commercially available. No 
embodiment for the PCR agent 302, Constraint-based rea- assumptions nor restrictions about vendor-specific probes 
soning was chosen because, at this stage of the surveillance have been made. An example of a commonly available probe 
task, the required analysis becomes more complex. The is the Intelligent RM0N/RM0N2 Enterprise Probe avail- 
constraints imposed on the PGR agent 302 are the who to able from Frontier Software Development, Inc., 
survey, when to survey, level of surveillance information, 65 Chelmsford, Mass., U.S.A. This Enterprise Probe uses the 
and the network topology information 310 which includes RMON standard to provide diagnostic operations for com- 
the locations of any available probes. plex network configurations. 
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Having thus described an embodiment of the present 
inventioa, various modifications and improvements will 
occur to those skilled in the art which are intended to be part 
of this disclosure and within the scope of the invention. 
Accordingly, the foregoing description is by way of example s 
only and is not intended as limiting. 

What is claimed is: 

1. A method of monitoring data transmitted between 
nodes in a network, the method comprising steps of: 

(a) receiving, in real-time, data transmitted in the net- 
work; 

(b) analyzing, in real-time, the received data and identi- 
fying subsequent particular data and first and second 
nodes to be monitored; 

(bl) reconfiguring the network so that at least one iden- 
tified node on the network, different from the first and 
second nodes, receives the identified particular data; 

(c) monitoring, in real-lime, the identified subsequent 
particular data at the particular node; and 20 

(d) storing the monitored subsequent particular data in a 
storage device. 

2. The method as recited in claim 1, wherein step (b) 
comprises a step of; 

applying a reasoning operation to the received data to ^5 
identify the particular data. 

3. The method as recited in claim 2, wherein the reasoning 
operation is a rule -based operation. 

4. The method as recited in claim 1, wherein the received 
data comprises identification of a source of the received data 30 
and identification of a destination of the received data. 

5. The method as recited in claim 4, wherein the received 
data further comprises: 

at least one of a protocol and a volume of data associated 
with the source and destination. 

6. The method as recited in claim 4, wherein step (b) 
comprises steps of: 

applying a rule-based operation to the received data to 
identify the at least one identified node to receive and 
monitor the subsequent particular data, a time period 
for the monitoring, and a level of the monitoring. 

7. The method as recited in claim 6, further comprising at 
least one step of: 

monitoring identified subsequent particular data delivered 45 
to at least one of the first and second nodes; 

monitoring identified subsequent particular data sent from 
at least one of the first and second nodes; and 

monitoring identified subsequent particular data sent 
between at least one of the first and second nodes. 50 

8. The method as recited in claim 6, wherein the level of 
monitoring comprises at least one of: 

counting a number of data units; 
determining a type of protocol used; and 
determining a content of the particular data. 

9. An apparatus for monitoring data transmitted between 
nodes in a network, the apparatus comprising: 

means for receiving, in real-time, data transmitted in the 
network; 

means, connected to the receiving means, for analyzing, 
in real-time, the received data and for identifying 
subsequent particular data and first and second nodes 
for monitoring; 

means, connected to the analyzing and identifying means, 65 
for reconfiguring the network so that at least one 
identified node on the network, different from the first 
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and second nodes, receives the identified subsequent 
particular data in the network; and 
means for storing the monitored particular data. 

10. The apparatus as recited in claim 9, wherein the 
analyzing and identifying means comprise: 

means for applying a rule-based reasoning operation to 
the received data to identify the particular data. 

11. The apparatus as recited in claim 10, wherein the 
monitoring means comprise: 

means for applying a constraint-based reasoning opera- 
tion to monitor identified subsequent particular data. 

12. The apparatus as recited in claim 10, wherein the 
received data comprises identification of a source of the 
received data and identification of a destination of the 
received dala. 

13. The apparatus as recited in claim 12, wherein the 
received data fiirther comprises at least one of a protocol and 
volume of data associated with the source and destination. 

14. The apparatus as recited in claim 11, wherein the 
means for analyzing determines at least one of: 

the at least one node in the network to perform the 
monitoring; 

a time period during which the monitoring is to occur; and 
a level of the monitoring, 

15. The apparatus as recited in claim 9, wherein the means 
for analyzing determines at least one of: 

means for identifying at least one of the first and second 

nodes whose output data is to be monitored; 
means for identifying at least one of the first and second 

nodes where all data directed to the identified first and 

second node is to be monitored; and 
means for identifying the first and second nodes wherein 

all data between the first and second nodes is to be 

monitored. 

16. An apparatus for monitoring data communications in 
a network, the apparatus comprising: 

a first reasoning agent, having a first input to receive 
accounting data from the network and a second input to 
receive first reasoning parameters, for generating and 
outputting identification data by applying the first rea- 
soning parameters to the accounting data according to 
a first reasoning operation; and 

a second reasoning agent, having a third input to receive 
the identification data from the first reasoning agent, a 
fourth input to receive second reasoning parameters 
and a fifth input to receive network topology data, for 
generating and outputting probe control data to recon- 
figure the network by applying the second reasoning 
parameters to the identification data and the network 
topology data according to a second reasoning opera- 
tion. 

17. The apparatus according to claim 16, wherein the 
identification data comprises at least one of: 

data identifying at least one node in the network to 
monitor; 

data identifying a time period during which monitoring of 

the at least one identified node is to occur; and 
data indicating a level of the monitoring. 

18. The apparatus according to claim 16, wherein the 
probe control data comprises: 

network switch configuration data. 

19. The apparatus according to claim 16, wherein the first 
reasoniiig operation is a rule -based operation and the second 
reasoning operation is a constraint-based operation. 
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20. The apparatus according to claim 16, wherein each of 
the first and second reasoning agents comprises: 

a processing unit; and 

a memory unit coupled to the processing unit, the memory 
unit storing a program according to the respective ^ 
reasoning operation. 

21. An apparatus for monitoring data communications in 
a network, the apparatus comprising: 

a first reasoning agent for identifying data communica- 
tions within the network to be monitored; and 

a second reasoning agent, coupled to the first reasoning 
agent, for reconfiguring at least one switch within the 
network to redirect the identified data communications. 

22. The apparatus as recited in claim 21, wherein: 55 
the first reasoning agent receives accounting data from the 

network and outputs identification data by applying a 
first reasoning operation. 

23. The apparatus as recited in claim 22, wherein: 

the second reasoning agent receives the identification data 20 
from the first reasoning agent and outputs probe control 
data by applying a second reasoning operation. 
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24. The apparatus according to claim 23, wherein the 
identification data comprises at least one of: 

data identifying at least one node in the network to 
monitor; 

data identifying a time period during which monitoring of 

the at least one identified node is to occur; and 
data indicating a level of the monitoring. 

25. The apparatus according to claim 23, wherein the 
probe control data comprises: 

network switch configuration data. 

26. The apparatus according to claim 23, wherein the first 
reasoning operation is a rule -based operation and the second 
reasoning operation is a constraint-based operation. 

27. The apparatus according to claim 23, wherein each of 
the first and second reasoning agents comprises: 

a processing unit; and 

a memory unit coupled to the processing unit, the memory 
unit storing a program according to the respective 
reasoning operation. 

* * * 4^ 
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